Showing posts with label passwords. Show all posts
Showing posts with label passwords. Show all posts

15 April 2019

Dyslexics Untied

Even though I have never officially been diagnosed, I'm mildly dyslexic. I've know for about 40 years, mostly because when I taught, I noticed characteristics in students' writing that I'd learned were red flags...and I had them, too. Nobody noticed them in me because I read well enough so my teachers paid little attention to me unless they needed someone to read a long passage in our primer aloud.

My writing didn't display many of the usual signs until I reached my late 30s. By then, I wore bifocals and my astigmatism was also a problem. I became aware that when I was tired, my cursive writing ran words together if the last letter of one word was also the first letter of the next one: thevening or sociallimits, stuff like that. It wasn't an issue when I typed.

My main problem comes out with numbers. The usual term is "dyscalculia," but that's not accurate in my case. I have little trouble with math or arithmetic facts. I still do calculations (accurately) in my head, and I loved plane and solid geometry in school. But I'm apt to reverse digits if I write a series of numbers. Credit card numbers, account numbers on invoices, and other such financial documents become a true adventure.

When I was in grade school, I often had one wrong answer on the weekly arithmetic tests, and with the benefit of 50-plus years of hindsight, I understand that the problem was always written at the extreme far side of the chalkboard so I saw it at an angle. My arithmetic was correct, but I would copy one digit inaccurately and the teacher marked the answer wrong without looking at my work.

Years later, when I became a teacher and we used computers in the classroom, students would come to me early in the year and say they couldn't find their grades on the printouts I posted. I posted by ID number to maintain anonymity (although everyone knew who got the best and worst marks), and I found that I reversed digits in the six-digit student numbers. Oops. Once I knew that, it became standard for me to warn kids the first day of class. In fact, it became one of my popular stand-up routines.

Now that I'm retired from teaching, I've discovered a new twist to my dysfunction. I'm trying to teach myself to play piano (pause for uproarious laughter) and I occasionally play the wrong staff with one hand or the other. Since the notes occupy different positions on the respective clefs, it creates some frightening harmony. Some jazz buffs or Schoenberg fans might love it, but my ear is good enough to recognize dissonance when I hear it. (Years later, I wonder if dyslexia helped Victor Borge play piano compositions upside down, which I often saw him do.)

I've played one instrument or another since age 10, but I don't read music well (although my grasp of theory is solid--go figure). Part of that could be lack of practice. As a guitar-playing friend says, "If God wanted us to read piano music, He would have put our eyes above one another." The good news is now that I'm trying to read music more often, I seem to learn new songs more quickly.

Another small bonus to dyslexia is my passwords on various sites. I often use names or quotations BACKWARDS and seldom have to think about them because spelling backwards is not a big deal. Think of palindromes. "Able was I ere I saw Elba," for example. My wife needs a printout of all of them because she can't spell that way (pause to gloat). However, she can read printed material upside down.

By the way, if you recite

the alphabet backwards, you'll discover that the rhyme and rhythm are even more lyrical and easier to remember than the "correct" way:

Z Y X and W V,    U T S and R Q P,     O N M, and L K J,   I H G, F E D C B A.

Since you asked....

18 February 2019

Surviving the Byte of the Cobra, part 2

The exemPlum doesn’t fall far from the tree…

Yesterday, we discussed password problems. Today, we look at those subversively risky personal questions used to zero in on you and perhaps your wallet.

A fair lot of crap programming comes out of Bangalore, so it’s befitting software designers call this particular law of unintended consequences ‘the cobra effect’.
The Cobra Effect
During British Crown Rule of India, legend says administrators grew concerned about the numbers of vipers infesting Delhi. The colonial governor offered a bounty for every dead cobra brought in. However, the plan’s short-term success was undermined by enterprising locals breeding cobras to collect bounties. The British governor terminated the program. Disappointed cobra farmers subsequently released their breeding serpents into the wild, far worsening the problem… or so the parable goes.
Character Reference

Last week, I needed to register on-line with a county agency. (No, my readers, NOT the Department of Corrections as the snarky amongst you might suspect.)

The first hint of difficulty lay in the most restricted character set to date, merely letters and numbers, no punctuation whatsoever. This thoughtfully provides bad guys huge hints: “Psst. Save time, fellas. Don’t bother testing the lock with those difficult oddball characters.”

The next clue… You know those personal identifying questions in case you forget your password? Questions like naming your favorite cheese or your first juvenile parole officer? These questions mask some of the greatest risks in computerdom. Anyone who knows the least bit about you can guess the answers.

Worse, I’ve encountered sites that provide convenient drop-down menu answers, a selection of eight or so choices. One of the most popular questions with a handy menu is, “What’s your favorite color?”

Presumably this helps the spelling-challenged, but what a gift to bad guys. Immediately black-hat hackers rule out black and white, rarely anyone’s favorites. That leaves six or eight choices, hardly a burden for the least capable password cracker. They need not guess if they notice the blue shirts and blue cell phone cover ordered on Amazon and now appearing in your latest Facebook pose.

Moral: Never answer a question with a menu choice.

Orange County registration questions
Orange County Registration Questions
 Your Government at Work

At left, notice the personally identifiable questions from the aforementioned county agency. Anyone with the slightest knowledge about you can guess the answers. Anyone who doesn’t know you, can easily google your name, learning where you attended high school, your favorite team, your pets, and your mother’s maiden name.

What can you do about it?

Don’t play the game.

First, of course, avoid Q&A with drop-down menus. That’s a given.

If the web page doesn’t feature drop-down menus, you can answer your favorite color of yellow, orange, or red with “sweet cream banana pie yellow”, “fancy freckle-farm fulvous fantasy,” or “notorious red dye number 2”.

If you know French, Spanish, or Romanian, you might utilize that knowledge, perhaps in combination with the verbose suggestion above. Answer your favorite color as ‘rouge’, ‘rojo’, or ‘roșu’. If you don’t know a foreign language, try Pig Latin, e.g, ‘edray’ or ‘ellowyay’.

But I never could abide by the rules. There’s an easier way than such hard-to-remember replies.

You can boost security if you make your answers– every answer– a non sequitur, a nonsense phrase. Remembering will be easier if you use the same response, such as “None of your damn business.” For example:
Favorite author?
None of your damn business.
Favorite color?
None of your damn business.
Favorite team?
None of your damn business.
Web sites like Apple’s recognize and object when an answer is repeated while populating a questionnaire. One solution is to exactly echo the question with leading or trailing words. For example, “Favorite author?” can be answered with, “My favorite author is none of your damn business,” or more simply, “Stuff my favorite author,” and “Stuff my favorite team,” etc.

Most importantly, choose a method that fits your style, then keep that information to yourself. Not playing by their dictates helps keep your data safer.

Don’t play the game.

Make up your own rules.

Password Security Question

Q. What’s your favorite security question?

A. ______________________________

17 February 2019

Surviving the Byte of the Cobra, part 1

Shibboleths and Shinola

As you may know, I spent years computer consulting for major corporations. I developed low regard for the so-called security found in many businesses, banks and brokerage houses, and lesser government agencies. Many so-called safety ‘features’ introduce unintended vulnerabilities.

Stick with me today and tomorrow. I’ll show you a method or so to help plug one or two security holes and help protect yourself.

Just Say No

Recently, I found myself unable to create an on-line account with my insurance company. The business published no password restrictions, so I started with something like §103NádražníBeržųStraße – I’m not kidding – I take the security of my most critical sites seriously. The system didn’t accept that, a big clue that password and privacy isn’t a high priority with them. I whittled away diacriticals and then the leading special character §, but still nothing. After reduction to a plain vanilla password, and still no access I contacted customer service, asking how to solve the problem.

Naturally the customer service lady wouldn’t put me in direct touch with IT, the people who should know. She spent roughly 15 minutes piecing together the requirements: no more than ten characters from a measly set of the 62 alphanumeric characters plus underscore and hyphen.
“You’re kidding,” I said.

“What do you mean?”

“Those are the weakest password requirements I’ve come across in a long time.”

“Oh no, sir. We’ve never been hacked, so we’re very pleased.”

“You mean you haven’t drawn the attention of hackers.” The more restrictions placed on passwords, the easier for miscreants to breach the walls.

I could feel her bristle through the phone line. “Our staff understands our needs very well, I’m sure.”

Uh-huh. I thought dryly. They could withstand a concerted attack for, well, hundreds of seconds.
The only safe solution was not to use their on-line ‘service’ at all. In the future, what little information I might need will come by telephone and US mail.

It’s 1980, No Pasting Allowed

Ever encounter a web site that won’t allow you to paste in your password? Sure you have, and it’s frustrating as hell. Worse, it adds vulnerabilities rather than resolves them.

Years ago, some misguided ‘expert’ decided password paste prevention sounded pretty cool, and lo, he advised others about his really cool hypothesis. It turned out wrong, dead wrong.

Preventing pasting discourages visitors from using long, complex passwords, prevents utilizing password managers, and makes it easy for cracking hardware and software ‘keyloggers’– to monitor what you type in. Even the task group within NIST, the US National Institute of Standards and Technology, advises against disabling password pasting.

Clearly a number of corporations didn’t get the memo. What can a trapped user do? A few suggestions come to mind.

The web page may disable pasting keyboard shortcut but not disable the menu paste entry. This occurs often enough, it’s worth trying first.

A second possibility is to temporarily disable JavaScript. After doing it a couple of times, it doesn’t take long, certainly less time than blindly typing in a long string. Simply bring up the web page. When you reach the field that won’t let you paste, disable JavaScript by invoking Preferences, click Disable JavaScript in the Security or Privacy tabs, paste your password, and immediately re-engage JavaScript. (Note: This doesn’t work with Firefox, which won’t let users disable JavaScript.)

If that fails, try to resist using a short and simple password, one reason why this disagreeable ‘feature’ is so dangerous.

When It’s All About Length

I came across a bug in a popular web site. The registration web page happily accepted my lengthy password, but would not allow me to sign on.

I learned the site used an unadvertised maximum limit of 20 characters. Further investigation concluded it didn’t limit or validate the length of the password string. The registration page stored a function of the first 20 characters, no matter how many were entered. The sign-on page also didn’t check the limit of characters, but simply compared its value with the stored value, resulting in a mismatch.

In other words, I tried to register AbCdEfGhIjKlMnOpQrStUvWxYz, but the program stored AbCdEfGhIjKlMnOpQrSt. When I tried to sign on, the page compared the stored AbCdEfGhIjKlMnOpQrSt with the sign-on value of AbCdEfGhIjKlMnOpQrStUvWxYz and failed, a stupid programming error. (Engineers will note I’m grossly simplifying a hash encryption function.) Bad, bad program design.

Mine’s Smaller Than Yours

A web site’s failure to validate the length of a password allowed me to pull off a silly little trick of questionable value. In the early days of the Web before it came under attack by Russian crackers and North Korean ransomware, I’d registered at a particular web site with a short password.

Years later, alarmed at attacks occurring worldwide, the site instituted stricter registration policies, including using lengthy password minimums double the length of mine. They validated new password lengths at registration, but not during sign-on.

The site wasn’t critical for me, which led to an idiosyncratic decision to keep my old, deprecated password. A brute-force attacker would likely note updated site rules that passwords must run at least twelve characters in length. If so, my dinky little password ought to sail under their radar. (And if not, I could live without the site.)

Tomorrow… Cobras and those pesky and perilous personal mystery questions.

11 August 2013

PINs and Passwords, Part 2

The Saint
The Saint
Today’s message, bottom line first.
  1. Users spend more time thinking up names than they do passwords.
  2. Worry less about the variety of characters you use in a password (or P@$$w0rd) and opt for long passwords, which offers far more security.
  3. You’ll find examples of the most common passwords at the end of the article.
Now, if you’re in the mood as a writer or reader to learn how passwords are created, stored, and broken, read on.

Good Book, Bad Passwords

In managing programmers and a computing center, I was responsible for the final line of security. Although networked, our machines faced fewer threats than computers do now. They wouldn’t pass muster today, but I leaned on Biblical and historical words, such as that original password, shibboleth. Our discs required separate access passwords to read, write, and multi-write, so I not-so-cleverly chose Shadrach, Meshach, and Abednego. Naturally you see a problem: If someone cracked one, they should be able to figure out the other two.

Biblical passwords still flourish throughout the internet, albeit in the form as first names: Angel, Daniel, David, Faith, Grace, John, Jordan, Joshua, Michael, and the most often appearing name: Jesus. Let me tell you, folks, you shouldn’t rely on Jesus (the name at least or that ever-popular jesus1), to protect your private information. As Leslie Charteris's The Saint might say, the ungodly never sleep.

Deep and Wide

I can’t seem to get away from Biblical allusions today.

We can look at a password in two dimensions, depth and length. A simple PIN number is 10 characters in depth (0-9) and typically 4-digits wide, although PIN lengths up to 10 digits and passwords over fifty characters aren’t unheard of. We might say an alphanumeric upper case only password is 36 characters deep, for example: AARDVARK. Computer scientists use the fancy term ‘entropy’ in reference to ‘uncertainty of a random variable,’ usually considered in code-breaking. Mixed case greatly increases the ‘entropy’ or difficulty in guessing it, e.g, AaRdVaRk. Allow any character of a keyboard, and you run up the difficulty again, i.e, /\år∂vårk. Conversely, rely only on numbers or single dictionary words (or puerile swear words), and you seriously compromise the security of your account.

The ‘aardvark’ example at right shows passwords represent a two-dimensional array. From a Chinese menu, you pick one character from column one, another character from column two, etc. The greater variety of characters allowed, the greater the difficulty of cracking. But entropy increases even faster if you type longer passwords.

So, pardon me for restating the cliché, but longer is better. Thus you can radically harden your password by increasing its length, i.e, Tough_nut_to_crack, assuming your provider allows passwords that long. The lesson here is you potentially gain more strength from longer passwords versus short ones with special characters. Pick anything you privately know and like, perhaps a quotation or phrase that sticks in your head and go with that.

Cracking the Code

How do crackers break passwords? They know the frequency of passwords like we show below, so normally they take a few stabs at the obvious, ‘123456’ or ‘password’. If they’re serious about cracking your account, they use a script to run through the possibilities in the ‘aardvark’ table at right, a character at a time, just like an odometer. I encourage you to make life as difficult as possible for them.

But the ungodly have other ways. If a malicious party can trick you into downloading a tiny piece of code, they can monitor your keystrokes. This works in a way similar to child monitoring software, but it transmits your keystrokes– all of them– to a third party somewhere else in the world.

Soft and Hard

While we’re on the subject of nanny monitoring software, you might want to check nobody’s monitoring you! You’re vulnerable to anyone who has access to your computer.

Eli Lilly
A client had a problem of files being deleted. Eli Lilly thought someone was logging onto and vandalizing machines after hours, but couldn’t figure out how. After advising the client to make personal backups of everything, I went on the hunt for two possibilities: either a keystroke monitoring program or a discreet hardware device called a keystroke logger that plugs between the keyboard cable and the back of the computer.
keystroke logger © CNH Tech

The culprit turned out to be an insecure (and in my opinion nasty) little supervisor who didn’t want her subordinates to shine too brightly. Ofttimes a woman’s workplace impediment isn’t men, it’s other women.

In my consulting experience, such micro-espionage tricks are hardly unique. You never know when or where you might be spied upon.


Skip, if you wish, the following explanation how letters and passwords are stored, although crime writers might find the techniques useful in a story. Let’s take an easy word, say EASY itself. Normally each letter of the alphabet and punctuation character is stored individually as a number. The letter E stores in binary as 0100 0101. This happens to be 69 in decimal, but programmers look at it in base16, hexadecimal, which works out to 4516 or x45. If a program stored this in ‘plain text’, it would be easily readable by anyone familiar with the encoding, say ASCII or UniCode.
word: E  A  S  Y
dec: 69 65 83 89
hex: 45 41 53 59
#: 1,161,909,081
Normally, companies and government agencies deal with sensitive data in two ways. One is to encrypt it. When you provide a credit card, the program should take a great deal of effort to obscure your card number while allowing it to be retrieved when the time comes.

They could also encrypt passwords, but why store passwords at all? When you think about it, all the computer needs is a yes/no answer whether the password you give now matches the original you made up long ago.

So programs create a different number that represents the password– a polynomial, a hash, or a modulus. Rather than look at EASY as a string of letters or even digits, we view it as one long number, just over a billion or precisely 1,161,909,081. This number looks large, but it’s minuscule in security terms.

To obtain its modulus (remainder), computers divide it by a huge prime number, though we’ll use a small one, say 33,331:
34859 r.23752
We don’t care about the quotient, only the remainder, 23,752, which we save as a user key code, rather than the user’s password, which could be subject to hacking. The program then deliberately ‘forgets’ the original password, information too vulnerable to keep around. Thus, a well-behaved database of users won’t contain any passwords, and because the program uses large numbers, especially the prime divisor, it makes cracking the code by anyone other than the NSA or a pimply-faced nerd in Ukraine extremely difficult.

How does it work? When a member logs in, he provides a password. Because the computer no longer remembers the original, it divides the given password by that large prime and if the result matches the stored key-code, it allows the user in.

Adapt and Adjust

Final tip: Use the longest possible password you’re comfortable with. If you have a difficult time with special characters and weird spellings, rely on this simple trick: Use a ‘pass-phrase’, not a password, or better yet, make up a sentence. For example: ’23 Valley of the shadow of death’. If your account provider doesn’t like spaces, then use underscores or omit them. If they severely restrict the length (like my stupid bank), then use the maximum and consider special characters. Adapt and adjust.

Following are the most common passwords harvested from four different internet web sites. Some of them aren't pretty. Learn and avoid!

 MySpace  FaceBook  phpBB
rank % password % password % password % password
1 0.24 password1 1.46 password 1.02 123456 3.03 123456
2 0.16 abc123 1.18 123456 0.61 jesus 2.19 password
3 0.12 password 0.39 12345678 0.41 password 1.45 phpbb
4 0.09 iloveyou1 0.26 1234 0.29 love 0.94 qwerty
5 0.09 iloveyou2 0.25 qwerty 0.20 12345678 0.82 12345
6 0.09 fuckyou1 0.21 12345 0.20 christ 0.60 letmein
7 0.08 myspace1 0.20 pussy 0.17 jesus1 0.59 12345678
8 0.08 soccer1 0.18 monkey 0.16 princess 0.53 1234
9 0.07 iloveyou 0.17 baseball 0.16 blessed 0.51 test
10 0.06 iloveyou! 0.17 football 0.15 sunshine 0.43 123
11 0.05 football1 0.16 letmein 0.13 faith 0.38 trustno1
12 0.05 fuckyou 0.15 696969 0.13 1234567 0.33 dragon
13 0.05 123456 0.15 abc123 0.12 angel 0.32 hello
14 0.05 baseball1 0.15 michael 0.11 single 0.31 abc123
15 0.05 soccer 0.15 shadow 0.11 lovely 0.31 111111
16 0.05 123abc 0.14 111111 0.11 freedom 0.31 123456789
17 0.04 hello1 0.12 master 0.10 blessing 0.30 monkey
18 0.04 qwerty1 0.11 superman 0.10 12345 0.29 master
19 0.04 summer1 0.11 harley 0.10 grace 0.23 killer
20 0.04 monkey1 0.11 1234567 0.10 iloveyou 0.22 123123
21 0.04 password2 0.11 fuckme 0.09 7777777 0.22 computer
22 0.04 nigger1 0.11 fuckyou 0.09 heaven 0.22 asdf
23 0.04 fuckyou! 0.11 trustno1 0.09 angels 0.20 shadow
24 0.04 nicole1 0.10 ranger 0.09 shadow 0.20 internet
25 0.04 cheer1 0.10 buster 0.09 1234 0.20 whatever
26 0.04 asshole1 0.10 hunter 0.08 tigger 0.20 starwars
27 0.04 fuckyou2 0.10 soccer 0.08 summer 0.17 1234567
28 0.04 blink182 0.10 fuck 0.08 hope 0.16 cheese
29 0.04 poop 0.10 batman 0.07 looking 0.16 pass
30 0.04 dancer1 0.10 test 0.07 peace 0.16 matrix
31 0.04 jordan23 0.10 pass 0.07 mother 0.16 tigger
32 0.03 football 0.09 killer 0.07 michael 0.15 aaaaaa
33 0.03 bitch1 0.09 hockey 0.07 shalom 0.15 pokemon
34 0.03 orange1 0.09 love 0.07 rotimi 0.15 000000
35 0.03 soccer2 0.09 michelle 0.07 football 0.15 superman
36 0.03 123456a 0.09 andrew 0.07 victory 0.15 qazwsx
37 0.03 baseball 0.09 sunshine 0.07 happy 0.14 testing
38 0.03 eagles1 0.09 jessica 0.07 purple 0.14 football
39 0.03 volcom1 0.09 asshole 0.07 john316 0.14 1
40 0.03 chris1 0.09 6969 0.07 joshua 0.13 blahblah
41 0.03 monkey 0.08 daniel 0.06 london 0.13 654321
42 0.03 flower1 0.08 access 0.06 superman 0.13 fuckyou
43 0.03 summer06 0.08 123456789 0.06 church 0.13 11111
44 0.03 ashley1 0.08 654321 0.06 loving 0.13 joshua
45 0.03 love123 0.08 joshua 0.06 computer 0.12 helpme
46 0.03 princess1 0.08 starwars 0.06 mylove 0.12 thomas
47 0.03 love 0.08 hello 0.06 praise 0.12 michael
48 0.03 nigga1 0.08 123123 0.06 saved 0.12 biteme
49 0.03 fucker1 0.08 ashley 0.06 richard 0.12 forum
50 0.03 angel1 0.07 666666 0.06 pastor 0.12 secret
• Credit for table: Jimmy Ruska